I’m often asked by clients why I only deliver bespoke solutions. In fact, I’ve lost count of the number of times I’ve been asked for a ‘pack’ or ‘template’ for a set of policies or procedures. So, I thought I’d pen this short article to answer the bespoke vs template question.
I’m a big fan of making things easy, straightforward, and simple. If a single template could work for all of my clients then I would most certainly advocate this approach. Unfortunately, I am yet to see this happen in practice. I have however worked with clients to completely re-engineer their information security management systems after they have followed a set template and later realised that it just doesn’t work for their business. The result is sophisticated methodologies that internal teams don’t understand, comprehensive policies and procedures that don’t align to the way the business operates and ultimately staff don’t follow, and a stressed and frustrated IT Manager desperately trying to implement something that virtually grinds business operations to a halt!
My advice is to use tools where possible, lets face it nobody wants to reinvent the wheel, but you must make sure that they really ‘work’ for your business. Is it easier to manage your third party suppliers, can your management team produce consistent risk assessments, can security incidents be reported tracked and managed efficiently, do your policies accurately describe your operations? Always choose a system that accurately reflects the way that you do business, anything else is a false economy. Trust me, the costs of trying to alter business processes to accurately reflect your ISMS will far outweigh the savings made by buying a cheap pack of templates!